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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 
Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public). All responses from organisations 
and individuals responding in a professional capacity will be published. We 
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will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[|] Yes 


K No 


Q2 If not, please specify where improvements could be made. 


The heading on page 48 Are we still responsible after we’ve shared the data? is 
potentially misleading. Some of the charities that we spoke to were concerned that this 
suggested data exporters would continue to be liable for the actions of data importers after 
they have shared personal data. We agree with the ICO’s recommendations in this section 
but we think the wording could make it clearer that, as long as the data exporter takes the 
recommended “reasonable steps” in advance of disclosure, they will not be liable under 
the data protection legislation for the actions of the data importer following the transfer. 


On page 70 (under the heading How does data sharing apply to mergers and 
acquisitions?), the Code cautions organisations to “take care” if there is a change in the 
controller as a result of a merger or acquisition. We think it is important to spell out that 
valid consent under the GDPR requires third parties to be specifically named so, if a 
merger results in a change of controller, the new controller will not be able to rely on 
consents given to the previous controller. This is particularly important in the charity sector 
where consent to receive marketing and fundraising communications can be extremely 
valuable assets — charities considering a merger need to understand that a new controller 
will not be able to rely on those consents. 


Q3 Does the draft code cover the right issues about data sharing? 


[|] Yes 
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Q4 If no, what other issues would you like to be covered in it? 


Intra-group data sharing — the Code should to include a section on data sharing 
between group companies. The current draft only refers in passing to sharing between 
sister organisations in the bullet point list on page 74 (under the heading How does data 
sharing apply to the acquisition or transfer of databases and lists?). We would 
welcome more detailed guidance on intra-group sharing and, in particular, we think it 
would be helpful if the Code highlighted that personal data processed on consent grounds 
cannot be shared between group companies unless the consent statements named each 
company or entity within the group that intends to rely on the consent. 


Change of service provider — many charities deliver services under contract from a 
public authority such as the NHS or Local Council. These contracts are regularly put out to 
tender and a change of service provider can result in the transfer of significant amounts of 
personal data. We think it would be helpful if the Code explicitly referred to data sharing in 
these situations. 


Q5 Does the draft code contain the right level of detail? 
L Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


Ad hoc/one-off data sharing — the Code draws a distinction between regular data 
sharing and ad hoc or one-off sharing. The implication is that a Data Sharing Agreement 
will not be required in all cases but it is not clear how organisations should make this 
decision. For example, it would clearly be disproportionate to negotiate a detailed Data 
Sharing Agreement with a third party in order to share a minimal amount of low-risk 
personal data on a one-off basis. Nevertheless, we suspect the ICO would still expect the 
data exporter to take some steps to ensure that the personal data will continue to be 
protected (e.g. asking the data importer to confirm that they will only use the personal data 


for specific purposes, agreeing between the parties that the personal data will be deleted 
when a Specific task has been completed). It would be helpful if more detail could be 
added to the Code to clarify what is expected of controllers undertaking low-risk data 
sharing activities. 


We also think that the references to “one-off” data transfers are potentially misleading as 
the impression is that one-off transfers require less rigorous advance planning by 
controllers than regular data sharing activities. However, there could well be 
circumstances in which a Data Sharing Agreement would be justified for a one-off transfer 
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of personal data, for example, one that involves sharing a large amount of confidential 
and/or special category personal data. We suggest that it would be more helpful to refer to 
higher- and lower-risk data sharing, as opposed to one-off/ad hoc versus regular sharing. 
We also think that it would be helpful to remind controllers to ensure they correctly 
distinguish between an ad hoc request from a third party for personal data and a subject 
access request made under Article 15 of the GDPR. 


Security — the security section (pages 47-49) seems lacking in detail. While we 
understand that the ICO would not wish to prescribe specific security measures in a 
statutory Code such as this, we would have expected the security section to include 
references to common types of technical security measures (e.g. encryption, password 
protection) and organisational measures (e.g. pSeudominysation, limiting staff access to 
documents and/or systems, keeping paper files in locked cabinets). 


Page 48 also states that controller must undertake an “information risk analysis” and 
document its conclusions but it is unclear whether this analysis needs to be carried out in 
addition to a Data Protection Impact Assessment and, if so, what additional considerations 
should be addressed in an information risk analysis. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


[|] Yes 


K No 


Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


See answers to Question 2 (data protection issues relating specifically to consent in the 


context of mergers) and Question 4 (intra-group sharing) above. 


Q9 Does the draft code provide enough clarity on good practice in data 
Sharing? 


[|] Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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See answer to Question 6 above — it would be helpful to have more clarity in the Code 


around what is considered to be good practice for ad hoc, one off and/or low-risk data 
sharing situations where a full Data Sharing Agreement would be disproportionate. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[|] Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


lt would be helpful to include more case studies from the private sector which involve high 
risk and/or special category personal data being shared, for example, a case study trom 


the charity sector. 


Q15 To what extent do you agree that the draft code is clear and easy 
o understand? 


cT 


Strongly agree 


C 

Agree 
O Neither agree nor disagree 
= 


Disagree 
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Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


Russell-Cooke Solicitors. The responses reflect feedback on the Code which we received 


at two roundtable discussions attended by representatives from thirteen charities of 
varying sizes and working in various sectors. 


Thank you for taking the time to share your views and experience. 
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